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Motivation 

Speech by Secretary of Defens 
William S. Cohen, February 18, 
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The public need for wireless reliability 
increased dramatically when PCS started t 
reality 

In the past, reliability and privacy issues were 
addressed from the viewpoint of the service provider -- 
not necessarily the user 

Future systems must satisfy the needs of users as well 
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Wireless communication sysl 
denial-of-service attacks 

Wireless network links are natural “wire taps” ii 
network 

Users are generally unaware of the security issues 
associated with a wireless link 


“End-to-end’ seamless security needs to be provided by 
the equipment manufacturers 
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Rockweil-Col ins, GPS Programs, High Anti-jam General 
Development Model (GDM), 4 years 

Anti-jam receiver design at Rockwell 

Author of anti-jam systems design monograph at Rockwell 

Consultant to RCA/Camden on high-antijam frequency- 
hopping communication system 

PI on wireless security grant from Rockwell Foundation, 2 
years 

Developed wireless security program and web site at ISU 
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Wireless Network Security 
Denial of Access 
Denial of Service 
Interception > 
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Network Security 



Wireless Channel Security 
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The Service Provider 
The Equipment Manufacturer 
The Customer 
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Loss of Revenue 
Quality of Serv ce 
Customer Perceptions 





Cost 

Reliability 

Customer and Service Provider 
Perceptions 
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Privacy (Security and anonymity) 


Encryption 

Position Location and Identification (E 9-1-1) 

User identification outside the service 
providers system 
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♦implamaniad by Oclobar 2001 
♦ Location of i'Jobila Station Must ba Providad to 



Public Safaty Answariny Point 


♦ Latituda & bonyituda 
♦ Accuracy of 125 Matars 


57% of tha Tima 







Land Mobil and Special Mobile Radio (SMR) 


Cordless Telephone 
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USER 

► 

► 

DISRUPT 


USER 


EXPLOIT 


BASE 


DISRUPT 
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COUNTERFIT COMMUNICATION 
(Spoofing) 


POSITION MONITORING 


EAVESDROPPING (3rd Party) 


DENIAL OF SERVICE 
(Jamming) 


THEFT OF SERVICES 


DENIAL OF SERVICE 
(Jamming) 
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Fig. 0085 
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Number Cloning 

Skills and technology costs needed to clo 
relatively low 

This was a significant problem for service provider 
but effective solutions are now available 


Decryption 

Computational time and costs are prohibitive for advanced 
methods 

Encryption techniques continue to advance to the point where 
this is not a problem in well-designed systems 
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Past, Immediat 
Threats (corit.)! 


Intrusion 

This is a significant threat but is still too 
sophisticated except for government agencie 

Intrusion detection methods are still in the researc 
much work remains to be done 

IS-95 counterfeit base (an example is given later) 

Position Location 

The technologies being developed for E911 can be used for 
locating and tracking individuals 

Public resistance to “big brother” tracking will increase 
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Antijam system designs are needed 




Data Interleaving and proper media access control 
design can improve reliability 


Spoofing 


System designs must improve the ways that both the mobile 
and base are identified and authenticated 




wire@ISU.ppt SFR Aug 17, 2000 Page 25 


The simple, low-cos 


Denial-of-Service (DOS) 

Brute force jamming (barrage jamming) 

“Wavewall” product (Demo?) 

Base station call setup spoofing 

False control signals over the setup (usually paging) channel 

Eavesdropping 

Forced analog operation (jam the TDMA or CDMA cellphone 
channel 

Base station impersonation (very costly in some systems but 
easy in some cordless phones) 







A well-designed denial-of-s 
will act like network congestion o 
intermittent data connection 
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Wireless Network 



Simplified Diagram of a 
Wireless Access Point in a 
Wireless Local Area Network 


Mobile 

Computer 


Media Access 
Control Bridge 
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Full Duplex 
Radio 
Terminal 
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Public Network 
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Media Access 
Control Bridge 
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Basic System Components in a Multi-User, Spread-Spectrum Communication System 


Fig. 0002 
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Scenario 
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Adaptive (Smart) 


Transmitting antennas maximi 
direction of friendly receivers 

Receiving antennas maximize directive 
in the direction of friendly transmitters 

Receiving antennas steer a null in the 
direction of an interfering transmitter 
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Antijam Recei 
increase) 

Use frequency hopping designs 

Direct sequence systems are too easy to j 
unless the antijam (AJ) margin is large (this 
means a large spreading bandwidth) 

Hop as fact as practical 

400-1000 hops per second should make it difficult 
for most follower jammers 
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Antijam Receiv 


Use high-performance narrowban* 


These minimize interference due to o 
front end overload and spurious resp 


Implement adaptive, interference-rejection s 
filters 


Employ high-dynamic-range circuits and software 


algorithms 



This minimizes overload due to high interfering 
signals 
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CONTINUE HERE NEXT TIME 


Antijam Receiver Design (cont. 

Implement a hopping RF preselector fil :er 
This gives best performance but is costly 







Robust ACK/NAK for uncorrectable errors 
Use data interleaving to mitigate unsophisticated 


Security and R 
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Data Link (MA 

Design for a high error rate 
Smaller data packets 
Error detection and correction 
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jammers 


This will probably make voice over data 
impractical 
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Intrusion Detecti 
Management 


Much research is still needed 


Monitor spectrum for interfering signals 


Log historical error rates and signal levels 


Alert system manager to unusual conditions 
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Identification an 


Both mobile and base should i 
authenticate each other 


Data Encryption at the Physical Layer 


!DO IT! 
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Adaptive data rates when 
is hostile 

Level of service can be user selected 
software or selected by automated jntrusi 
detection 
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Proprietary Systems 




Waveform information must be gathered by signal 
monitoring and analysis -- sometimes a difficult art 
expensive task 


Standard System 802.1 1 

Waveform information is readily available in the 
standards documents 



wire@ISU.ppt SFR Aug 17, 2000 Page 45 




Example: 




IS-95 counterfeit base 
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CDMA 
Connection 
Mobile User (No Encryption) 


Analog 
Connection 
using cloned mobile 
parameters 
(Unsecure) 



Transgressor 
(Counterfeit Base Station) 



Base 

Station 
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Example: 

“Spectrum24( R > 


Operates under FCC Rules, Section 15.247 
Frequency Span of 2.4 GHz band (USA) 

2400 - 2483.5 MHz 

Frequency Spreading Method 
Frequency Hopping 

Hopping Channel Frequency Separation 

~1 MHz (based on 2-4 GFSK) 



Example 
‘‘SpectrIm24( R) 




umber of Hopping Frequencies 

78 in the USA 

Hopping Dwell Time 

0.1 Seconds (10 hops/second) 

Modulation Format 

Gaussian 2-4 Frequency Shift Keying (GFSK) 





ft 
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Example 
‘‘SpectrIm24( R) 



Data Rate 

.0-2.0 Megabits per second (specifications quote 


0} (oi i, 


Multiple Access 

Carrier-sense, multiple access, collision avoidance (CSMA/CA 

Power outputs 

500 milliwatts out of the transmitter 
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Media Access Control (MAC) layer Security 


Not available 
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Conferences and 



Journal of Electronic Defense 




http ://www. jedefense.com 



Iowa State University - Information Systems Security L, 
(ISSL) 


http ://www. issl .org 


Purdue University - Center for Education and Research in 
Information Assurance and Security 

Http://cerias@purdue.edu 

Telecommunications and Information Security Workshop 2000 
(TISW2000) 

Tulsa, OK, Sept. 27-28, with a post-session on Sept. 29 
http://ww.cis.utulsa.edu/tisw2000 
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FP - ELECTRONIC - Security Syst< 

Intercept System 

http://www.fp-electronic.de/swift.htm 

BARTEC, Bartlett Technologies - Communicatio 
Assistance for Law Enforcement Act (CALEA) 

http://www.bartec.com/ 
http://www.bartec.com/content/whatshotCOPS.html 
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GSM INTERCEPT WORKSHOPS 


http://spyzone.com/spyzone/news/gsmwork.html 
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